Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#10775] - Security issue: a user with access to User Manager can change his own user group

?
avatar infograf768
infograf768
10 Jun 2016

Steps to reproduce the issue

Create a subgroup of administrator
for example "testgroup"
Deny some permissions for that group, for example Create, Edit, etc. (anything for the sake of the demonstration) globally or for any component.
Log with a user member of the "testgroup"
Go to User Manager, edit the user, change his group to Administrator

Expected result

One should have an error stating that a user can't change group

Actual result

The user can make himself administrator...

Additional comments

avatar infograf768 infograf768 - open - 10 Jun 2016
avatar brianteeman brianteeman - change - 10 Jun 2016
Labels Added: ?
avatar brianteeman brianteeman - change - 10 Jun 2016
Category ACL
avatar infograf768 infograf768 - change - 10 Jun 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-06-10 10:42:57
Closed_By infograf768
Build master staging
avatar infograf768 infograf768 - change - 10 Jun 2016
Labels Added: ?
avatar infograf768 infograf768 - close - 10 Jun 2016
avatar infograf768 infograf768 - close - 10 Jun 2016
avatar infograf768
infograf768 - comment - 10 Jun 2016

Closing as we have a patch

#10776

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10775.

Add a Comment

Login with GitHub to post a comment